Financial Services Cloud Forum

The financial sector continues to wrestle with how to leverage Generative AI in an open, trusted, and explainable manner. The lack of an industry standard framework of controls leaves each organization to try and figure it out on their own. As part of IBM's Financial Services Cloud Council, a working group of over two dozen financial institutions is banding together to identify which controls are imperative in developing a sound Generative AI Security, Risk, and Governance program.

Based on the chart above, what are additional considerations that people think are important to include in a Generative AI control framework?

Feedback and thoughts are welcomed in response to this thread.

Thank You
@Asif Riaz

@Asif Riaz thank you for posting this - this is a very good tactical and implementation direction - appreciate all of the work!!  The harder challenge remains the lack of consistency and need for harmonization of varying regulations. There needs to be an overarching holistic AI governance framework that encompasses key principles and controls from various regulations.  At a strategic level there needs to be mechanisms that allow the framework to be flexible enough to accommodate the specific nuances of each regulation while maintaining consistency in core governance principles.  That might result in a myriad of scenarios and risk assessments and mitigations but a thorough risk assessment to identify potential compliance risks and gaps associated with each of the different regulations and then develop mitigation strategies and controls that address these risks/gaps while harmonizing as much as possible in transparent and explainable documentation is critical.  again KUDOS on the work thus far - more needed and this should be a priority for the Council and Forum (my 2cents)

The financial sector continues to wrestle with how to leverage Generative AI in an open, trusted, and explainable manner. The lack of an industry standard framework of controls leaves each organization to try and figure it out on their own. As part of IBM's Financial Services Cloud Council, a working group of over two dozen financial institutions is banding together to identify which controls are imperative in developing a sound Generative AI Security, Risk, and Governance program.

Based on the chart above, what are additional considerations that people think are important to include in a Generative AI control framework?

Feedback and thoughts are welcomed in response to this thread.

Thank You
@Asif Riaz

@Asif Riaz is there some sort of integration we can do with watsonx.ai for dynamic compliance monitoring system that can monitor changes in regulations based on the evolving legal landscape to ensure ongoing compliance?  If there is a way to integrate scenario analysis for that as I mentioned above that would be really compelling.

@Asif Riaz thank you for posting this - this is a very good tactical and implementation direction - appreciate all of the work!!  The harder challenge remains the lack of consistency and need for harmonization of varying regulations. There needs to be an overarching holistic AI governance framework that encompasses key principles and controls from various regulations.  At a strategic level there needs to be mechanisms that allow the framework to be flexible enough to accommodate the specific nuances of each regulation while maintaining consistency in core governance principles.  That might result in a myriad of scenarios and risk assessments and mitigations but a thorough risk assessment to identify potential compliance risks and gaps associated with each of the different regulations and then develop mitigation strategies and controls that address these risks/gaps while harmonizing as much as possible in transparent and explainable documentation is critical.  again KUDOS on the work thus far - more needed and this should be a priority for the Council and Forum (my 2cents)

The financial sector continues to wrestle with how to leverage Generative AI in an open, trusted, and explainable manner. The lack of an industry standard framework of controls leaves each organization to try and figure it out on their own. As part of IBM's Financial Services Cloud Council, a working group of over two dozen financial institutions is banding together to identify which controls are imperative in developing a sound Generative AI Security, Risk, and Governance program.

Based on the chart above, what are additional considerations that people think are important to include in a Generative AI control framework?

Feedback and thoughts are welcomed in response to this thread.

Thank You
@Asif Riaz

@Asif Riaz thank you for posting this - this is a very good tactical and implementation direction - appreciate all of the work!!  The harder challenge remains the lack of consistency and need for harmonization of varying regulations. There needs to be an overarching holistic AI governance framework that encompasses key principles and controls from various regulations.  At a strategic level there needs to be mechanisms that allow the framework to be flexible enough to accommodate the specific nuances of each regulation while maintaining consistency in core governance principles.  That might result in a myriad of scenarios and risk assessments and mitigations but a thorough risk assessment to identify potential compliance risks and gaps associated with each of the different regulations and then develop mitigation strategies and controls that address these risks/gaps while harmonizing as much as possible in transparent and explainable documentation is critical.  again KUDOS on the work thus far - more needed and this should be a priority for the Council and Forum (my 2cents)

The financial sector continues to wrestle with how to leverage Generative AI in an open, trusted, and explainable manner. The lack of an industry standard framework of controls leaves each organization to try and figure it out on their own. As part of IBM's Financial Services Cloud Council, a working group of over two dozen financial institutions is banding together to identify which controls are imperative in developing a sound Generative AI Security, Risk, and Governance program.

Based on the chart above, what are additional considerations that people think are important to include in a Generative AI control framework?

Feedback and thoughts are welcomed in response to this thread.

Thank You
@Asif Riaz

Appreciate the feedback, Weiyee. The development of GenAI controls approach continues to be a focus area for us. As we continue down the path of further developing/refining the GenAI controls approach, we will need to ensure that the core GenAI regulatory principles/requirements from various regulatory bodies are being accounted for; granted there aren't many contradictory requirements.

@Asif Riaz thank you for posting this - this is a very good tactical and implementation direction - appreciate all of the work!!  The harder challenge remains the lack of consistency and need for harmonization of varying regulations. There needs to be an overarching holistic AI governance framework that encompasses key principles and controls from various regulations.  At a strategic level there needs to be mechanisms that allow the framework to be flexible enough to accommodate the specific nuances of each regulation while maintaining consistency in core governance principles.  That might result in a myriad of scenarios and risk assessments and mitigations but a thorough risk assessment to identify potential compliance risks and gaps associated with each of the different regulations and then develop mitigation strategies and controls that address these risks/gaps while harmonizing as much as possible in transparent and explainable documentation is critical.  again KUDOS on the work thus far - more needed and this should be a priority for the Council and Forum (my 2cents)

The financial sector continues to wrestle with how to leverage Generative AI in an open, trusted, and explainable manner. The lack of an industry standard framework of controls leaves each organization to try and figure it out on their own. As part of IBM's Financial Services Cloud Council, a working group of over two dozen financial institutions is banding together to identify which controls are imperative in developing a sound Generative AI Security, Risk, and Governance program.

Based on the chart above, what are additional considerations that people think are important to include in a Generative AI control framework?

Feedback and thoughts are welcomed in response to this thread.

Thank You
@Asif Riaz

Appreciate the feedback, Weiyee. The development of GenAI controls approach continues to be a focus area for us. As we continue down the path of further developing/refining the GenAI controls approach, we will need to ensure that the core GenAI regulatory principles/requirements from various regulatory bodies are being accounted for; granted there aren't many contradictory requirements.

@Asif Riaz thank you for posting this - this is a very good tactical and implementation direction - appreciate all of the work!!  The harder challenge remains the lack of consistency and need for harmonization of varying regulations. There needs to be an overarching holistic AI governance framework that encompasses key principles and controls from various regulations.  At a strategic level there needs to be mechanisms that allow the framework to be flexible enough to accommodate the specific nuances of each regulation while maintaining consistency in core governance principles.  That might result in a myriad of scenarios and risk assessments and mitigations but a thorough risk assessment to identify potential compliance risks and gaps associated with each of the different regulations and then develop mitigation strategies and controls that address these risks/gaps while harmonizing as much as possible in transparent and explainable documentation is critical.  again KUDOS on the work thus far - more needed and this should be a priority for the Council and Forum (my 2cents)

The financial sector continues to wrestle with how to leverage Generative AI in an open, trusted, and explainable manner. The lack of an industry standard framework of controls leaves each organization to try and figure it out on their own. As part of IBM's Financial Services Cloud Council, a working group of over two dozen financial institutions is banding together to identify which controls are imperative in developing a sound Generative AI Security, Risk, and Governance program.

Based on the chart above, what are additional considerations that people think are important to include in a Generative AI control framework?

Feedback and thoughts are welcomed in response to this thread.

Thank You
@Asif Riaz

Appreciate the feedback, Weiyee. The development of GenAI controls approach continues to be a focus area for us. As we continue down the path of further developing/refining the GenAI controls approach, we will need to ensure that the core GenAI regulatory principles/requirements from various regulatory bodies are being accounted for; granted there aren't many contradictory requirements.

@Asif Riaz thank you for posting this - this is a very good tactical and implementation direction - appreciate all of the work!!  The harder challenge remains the lack of consistency and need for harmonization of varying regulations. There needs to be an overarching holistic AI governance framework that encompasses key principles and controls from various regulations.  At a strategic level there needs to be mechanisms that allow the framework to be flexible enough to accommodate the specific nuances of each regulation while maintaining consistency in core governance principles.  That might result in a myriad of scenarios and risk assessments and mitigations but a thorough risk assessment to identify potential compliance risks and gaps associated with each of the different regulations and then develop mitigation strategies and controls that address these risks/gaps while harmonizing as much as possible in transparent and explainable documentation is critical.  again KUDOS on the work thus far - more needed and this should be a priority for the Council and Forum (my 2cents)

The financial sector continues to wrestle with how to leverage Generative AI in an open, trusted, and explainable manner. The lack of an industry standard framework of controls leaves each organization to try and figure it out on their own. As part of IBM's Financial Services Cloud Council, a working group of over two dozen financial institutions is banding together to identify which controls are imperative in developing a sound Generative AI Security, Risk, and Governance program.

Based on the chart above, what are additional considerations that people think are important to include in a Generative AI control framework?

Feedback and thoughts are welcomed in response to this thread.

Thank You
@Asif Riaz

The financial sector continues to wrestle with how to leverage Generative AI in an open, trusted, and explainable manner. The lack of an industry standard framework of controls leaves each organization to try and figure it out on their own. As part of IBM's Financial Services Cloud Council, a working group of over two dozen financial institutions is banding together to identify which controls are imperative in developing a sound Generative AI Security, Risk, and Governance program.

Based on the chart above, what are additional considerations that people think are important to include in a Generative AI control framework?

Feedback and thoughts are welcomed in response to this thread.

Thank You
@Asif Riaz

The financial sector continues to wrestle with how to leverage Generative AI in an open, trusted, and explainable manner. The lack of an industry standard framework of controls leaves each organization to try and figure it out on their own. As part of IBM's Financial Services Cloud Council, a working group of over two dozen financial institutions is banding together to identify which controls are imperative in developing a sound Generative AI Security, Risk, and Governance program.

Based on the chart above, what are additional considerations that people think are important to include in a Generative AI control framework?

Feedback and thoughts are welcomed in response to this thread.

Thank You
@Asif Riaz

@Asif Riaz - on the top row - grey boxes - you have Risk Assessment and then separately a Security Awareness training - do we need to separate out a specific Security and Vulnerability Assessment?  at a basic level it would be office-CISO or CSO identifying and addressing security vulnerabilities in AI models to prevent unauthorized access, data breaches, or other security incidents, etc.  but broader - we need to look holistically at susceptibility of GAN and adversarial attacks, where malicious actors attempt to gain access to models beyond manipulating the model's outputs by injecting carefully crafted input data, and content generated by internal or external models etc. - sorry just sending thoughts in between meetings

The financial sector continues to wrestle with how to leverage Generative AI in an open, trusted, and explainable manner. The lack of an industry standard framework of controls leaves each organization to try and figure it out on their own. As part of IBM's Financial Services Cloud Council, a working group of over two dozen financial institutions is banding together to identify which controls are imperative in developing a sound Generative AI Security, Risk, and Governance program.

Based on the chart above, what are additional considerations that people think are important to include in a Generative AI control framework?

Feedback and thoughts are welcomed in response to this thread.

Thank You
@Asif Riaz

Really good points, Weiyee. We'd be happy to have a discussion with you early next year to go over some of these points you have raised. 

@Asif Riaz - on the top row - grey boxes - you have Risk Assessment and then separately a Security Awareness training - do we need to separate out a specific Security and Vulnerability Assessment?  at a basic level it would be office-CISO or CSO identifying and addressing security vulnerabilities in AI models to prevent unauthorized access, data breaches, or other security incidents, etc.  but broader - we need to look holistically at susceptibility of GAN and adversarial attacks, where malicious actors attempt to gain access to models beyond manipulating the model's outputs by injecting carefully crafted input data, and content generated by internal or external models etc. - sorry just sending thoughts in between meetings

The financial sector continues to wrestle with how to leverage Generative AI in an open, trusted, and explainable manner. The lack of an industry standard framework of controls leaves each organization to try and figure it out on their own. As part of IBM's Financial Services Cloud Council, a working group of over two dozen financial institutions is banding together to identify which controls are imperative in developing a sound Generative AI Security, Risk, and Governance program.

Based on the chart above, what are additional considerations that people think are important to include in a Generative AI control framework?

Feedback and thoughts are welcomed in response to this thread.

Thank You
@Asif Riaz